Data driven device detection

ABSTRACT

Data driven device detection is provided, whereby a device is detected by obtaining a plurality of feature values for a given device; obtaining a set of device attributes for a plurality of potential devices; calculating a probability value that the given device is each potential device within the plurality of potential devices; identifying a candidate device associated with a maximum probability value among the calculated probability values; and labeling the given device as the candidate device if the associated maximum probability value satisfies a predefined threshold. The predefined threshold can be a function, for example, of whether the given user has previously used this device. The obtained feature values can be obtained for a selected set of features satisfying one or more predefined characteristic criteria. The device attributes can be obtained, for example, from a profile for each of the plurality of potential devices.

FIELD OF THE INVENTION

The present invention relates generally to techniques for devicedetection in network communication systems.

BACKGROUND OF THE INVENTION

Recognizing the device being used by an employee, consumer or anotheruser is helpful in many applications. For example, recognizing thedevice can help the server to better present its content (e.g.,different presentations suit mobile devices, tablets and desktopdevices), provide better statistics on site traffic, and personalize theuser-experience without having to identify the user.

In the security domain, such as Information Technology (IT) securitysystems and financial anti-fraud systems, device detection can serve asa powerful tool that aids in identifying the user and detectingimpersonation attacks. In addition, device detection can serve as anadditional valuable feature that makes risk assessment more accurate andwith a reduced false positive rate. For example, an identity claim thatis generated by a device that the user has never used before is moreprobable to be a fraudulent transaction, or an impersonation attack,especially when there are additional indicators that support thisconclusion. On the other hand, reliable device detection can be used toincrease usability by not asking the user for his or her credentials ifthe user is connecting from his or her regular device and several otherfeatures also have their expected value, e.g., the user's location,Internet Service Provider (ISP) and transaction time.

Existing adaptive authentication systems typically use deviceidentification as part of a risk assessment process. Device detection istypically applied on the basis of the device features, such as installedapplications, hardware characteristics and configuration values.Unfortunately, these features often change over time which makes devicedetection a challenging task.

A need therefore remains for improved device detection techniques.

SUMMARY OF THE INVENTION

The present invention in the illustrative embodiments described hereinprovides techniques for data driven device detection. In accordance withan aspect of the invention, device detection is performed by obtaining aplurality of feature values for a given device; obtaining a set ofdevice attributes for a plurality of potential devices; calculating aprobability value that the given device is each potential device withinthe plurality of potential devices; identifying a candidate deviceassociated with a maximum probability value among the calculatedprobability values; and labeling the given device as the candidatedevice if the associated maximum probability value satisfies apredefined threshold. The predefined threshold can be a function, forexample, of whether the given user has previously used this device. Forexample, the predefined threshold can have a lower value if thecandidate device has been previously used by a user than if thecandidate device has not been previously used by the user. In anothervariation, the predefined threshold can have a higher value if thecandidate device has a number of substantially similar devices than ifthe candidate device does not have a number of substantially similardevices.

The obtained feature values can be obtained for a selected set offeatures satisfying one or more predefined characteristic criteria. Thedevice attributes can be obtained, for example, from a profile for eachof the plurality of potential devices.

The device detection can be performed, for example, as part of anauthentication of a user, as part of a risk assessment of a user and/orto optimize a presentation of information to a user.

The device detection techniques of the illustrative embodiments overcomeone or more of the problems associated with the conventional techniquesdescribed previously, and provide improved security by incorporatingdevice detection based on data driven feature selection,probability-based estimation of the device and data driventhreshold-based decisions. These and other features and advantages ofthe present invention will become more readily apparent from theaccompanying drawings and the following detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram illustrating an exemplary electronicenvironment in which the present invention can be implemented;

FIG. 2 is a schematic diagram illustrating an exemplary adaptiveauthentication device within the electronic environment shown in FIG. 1;

FIG. 3 illustrates an exemplary feature selector for evaluating aplurality of available features based on one or more exemplarycharacteristics to identify a selected set of features to evaluate;

FIG. 4 illustrates an exemplary device detector incorporating aspects ofthe present invention; and

FIG. 5 is a flow chart describing an exemplary implementation of adevice detection process that incorporates aspects of the presentinvention.

DETAILED DESCRIPTION

The present invention provides techniques for data driven devicedetection, such as in an exemplary Adaptive Authentication (AA) system.According to one aspect of the invention, the disclosed techniques fordata driven device detection employ data driven feature selection,probability-based estimation of the device and data driventhreshold-based decisions. While the present invention is illustrated inthe context of an exemplary Adaptive Authentication system, the presentinvention may be employed in any network communication system wheredevice detection is desirable.

FIG. 1 illustrates an exemplary electronic environment 10 for carryingout the improved techniques. Electronic environment 10 includescommunications medium 12, authentication requestor 18 and adaptiveauthentication system 13. As discussed further below, the adaptiveauthentication system 13 performs data driven device detection based ondata driven feature selection, probability-based estimation of thedevice and data driven threshold-based decision.

Communications medium 12 provides connections between adaptiveauthentication system 13 and authentication requestor 18. Thecommunications medium 12 may implement a variety of protocols such asTCP/IP, UDP, ATM, Ethernet, Fibre Channel, combinations thereof, and thelike. Furthermore, the communications medium 12 may include variouscomponents (e.g., cables, switches/routers, gateways/bridges, NAS/SANappliances/nodes, interfaces, etc.). Moreover, the communications medium12 is capable of having a variety of topologies (e.g., queuemanager-and-spoke, ring, backbone, multi-drop, point-to-point,irregular, combinations thereof, and so on).

Authentication requestor 18 is constructed and arranged to receive, froma user, requests to access data and send, to adaptive authenticationsystem 13, request 11 to authenticate the user. Authentication requestor18 is further constructed and arranged to receive an adaptiveauthentication result 17 which indicates whether the user is at highrisk of being a fraudulent user.

Request 11 takes the form of a message that includes various facts andtheir values; such messages are embedded in a payload of a data packet.Request 11 typically includes a username for the user and a timestampindicating a time.

Adaptive authentication system 13 is constructed and arranged to receiveauthentication request 11 from authentication requestor 18. Adaptiveauthentication system 13 is also constructed and arranged to generateadaptive authentication result 17 based on request 11 and a baselineprofile of the user, the baseline profile including a history ofrequests from a user over several previous time windows. Adaptiveauthentication system 13 is further constructed and arranged to sendadaptive authentication result 17 to authentication requestor 18.Adaptive authentication system 13 includes adaptive authenticationdevice 14 and storage device 15.

Storage device 15 is constructed and arranged to store database 16 whichcontains current and baseline profiles for a user. Database 16 includesa set of entries, each entry of which includes a user identifier, a timeperiod and user data.

Adaptive authentication device 14 is constructed and arranged to performadaptive authentication operations on request 11 according to theimproved techniques and takes the form of a desktop computer, laptop,server or tablet computer. Specifically, adaptive authentication device14 receives request 11 from authentication requestor 18 and accesses thebaseline profile having a user identifier matching the username ofrequest 11. Further detail concerning adaptive authentication device 14are described below with regard to FIG. 2.

FIG. 2 illustrates components of adaptive authentication device 14.Adaptive authentication device 14 includes a controller 20 which in turnincludes a processor 22, a memory 24 and a network interface 26.

Memory 24 is configured to store code which includes instructions 25 toprocess an authentication request from an authentication requestor.Memory 24 is further configured to store data from database 16 andrequest 11. Memory 24 generally takes the form of, e.g., random accessmemory, flash memory or a non-volatile memory.

Processor 22 can take the form of, but is not limited to, an Intel™ orAMD™-based microprocessor unit (MPU), and can be a single or multi-corerunning single or multiple threads. Processor 22 is coupled to memory 24and is configured to execute the instructions 25 stored in memory 24.

Network interface 26 is constructed and arranged to send and receivedata over communications medium 12. Specifically, network interface 26is configured to receive request 11 from and to send adaptiveauthentication result 17 to authentication requestor 18.

Returning to FIG. 1, adaptive authentication result 17 indicates alikelihood that request 11 is associated with fraudulent activity.Processor 22 generates adaptive authentication result 17 based on factvalues of request 11 and user data in database 16, as discussed furtherbelow in conjunction with FIGS. 3 through 5.

During operation, authentication requestor 18 sends request 11 toadaptive authentication device 14 via network interface 26. Processor 22stores data such as the username, fact values and timestamp from request11 in memory 24. Processor 22 accesses database 16 and performs a lookupoperation on the username; that is, processor 22 compares the usernameto user identifiers in each entry of database 16 and chooses thoseentries having a user identifier which matches the username.

The lookup operation will result in several entries from database 16,each of whose user identifiers matches the username stored in memory 24but has user data corresponding to a time interval. The time intervalsof the entries of the database that have a user identifier that matchesthe username of request 11 are distinct and non-overlapping. Forexample, while one entry has a time interval which ends at the currenttime and begins at 12 AM the previous Sunday, another entry has a timeinterval which ends at 11:59 PM the previous Saturday and begins at 12AM the Sunday prior, and so on.

Processor 22 optionally combines the fact values stored in memory 24with the fact values in the entry of database 16 that corresponds to thecurrent time interval. For a more detailed discussion of suitableAdaptive Authentication systems, see for example, U.S. patentapplication Ser. No. 13/246,937, filed Sep. 28, 2011, entitled “UsingBaseline Profiles In Adaptive Authentication” and/or United StatesPatent Application entitled “Techniques for Authenticating Users ofMassive Multiplayer Online Role Playing Games Using AdaptiveAuthentication,” each incorporated by reference herein.

Data Driven Device Detection

As indicated above, aspects of the disclosed device detection techniquesemploy data driven feature selection, probability-based estimation ofthe device and data driven threshold-based decisions.

Data Driven Feature Selection

FIG. 3 illustrates an exemplary feature selector 300 for evaluating aplurality of available features 310 based on one or more exemplarycharacteristics 320 to identify a selected set of features 340.Typically, the selected set of features 340 is predefined and fixed fora given device detection system.

In one exemplary embodiment, the exemplary feature selector 300evaluates the plurality of available features 310 based on the followingexemplary feature characteristics 320 to identify the selected set offeatures 340 to use for a given device detection system:

Uniqueness 322: The value of the feature is as unique as possible, whencompared between different devices. For example, a MAC Address isconsidered unique since two devices will usually not have the same MACAddress.

Stability 324: The value of the feature should remain relativelyconstant over time. This will allow learning the device features valueswith high confidence that these values will be the same in the nextoccurrence of this device.

Existence 326: The feature should have value in most of the appearancesof the device, so that the device detection module will be able to relyor infer from its' current existence.

Resistance to Modification 328: It should be difficult to change thevalue of the feature, so that we can assume that the attacker did notmodify this value. For example, hostname is relatively easy to modifywhich renders it less trustable.

Difficult to Acquire 330: It should be difficult to mimic the featurevalues of a legitimate user. For example, learning the operating systemof a regular user is relatively easy, while acquiring his or herspecific MAC Address and copying MAC Addresses is much more difficult.

It is noted that the feature selector 300 function can be performed by ahuman, for example, employing enterprise best practices techniques. Infurther variations, the feature selector 300 can employ one or more ofthe following exemplary tools estimating the above characteristics 320:information-based tests, such as entropy measures and information gain,Kullback-Leibler (KL)-divergence for stability estimation, andwrapper-based models.

Probability-Based Device Estimation

As previously indicated, the values of the features of a specific devicemay change due to the dynamic environment, noise or parsing errors inthe data monitoring systems, or due to missing data. Thus, differentappearances of the same device may look different when performing anexact-match on its values. Instead of seeking exact matches, aspects ofthe present invention estimate the posterior probability of the devicebeing device_(i), given the device features and the profile ofdevice_(i), which may be expressed as follows:P(device=device_(i)|feature₁ =X ₁, feature₂ =X ₂, . . . , feature_(n) =X_(n),profile(device_(i))).  (1)In other words, the probability that a device is device_(i) depends onthe session attributes (i.e., the feature values for the selectedfeatures 340 for the current session) and the device attributes (i.e.,the historical device attributes recorded in the profile). The profileof device_(i) records, for example, information collected about thedevice during prior sessions. Then, a given device is assigned to bedevice_(j), where

$\begin{matrix}{j = {\underset{i}{argmax}{\left\{ {P\left( {\left. {device}_{i} \middle| {features} \right.,\;{{profile}\left( {device}_{i} \right)}} \right)} \right\}.}}} & (2)\end{matrix}$

Specifically, it can be assumed that the different features in theselected set of features 340 are statistically independent (e.g., thevalue of the MAC address does not influence the hostname, and viceversa). Hence, the overall posterior probability can be evaluated as amultiplication of the single probabilities, as follows:P(device=device_(i)|feature_(k) =X _(k),profile(device_(i))).  (3)This probability can be estimated by the stability of the device profileand the similarity of the feature value to the values in the deviceprofile. Different similarity measures should be defined for thedifferent features types. For example:

1. For a feature that has many instances in the device (e.g., eachdevice usually has several MAC addresses) an intersection-basedsimilarity measure should be applied, such as the Jaccard index.

2. For a feature with one instance and no internal meaning (e.g.,hostname), an exact match should be used. This can be relaxed if errorsin data may cause modifications of the feature value.

3. For a feature with one instance and some meaning (e.g., operatingsystem), a pair-wise distance function can be defined. For example, anupgrade from WindowsXP to Windows7 is rare but explainable; whereasdowngrading from Windows7 to WindowsXP or switching entirely to adifferent platform such as Mac OS X is much less probable and mayindicate that this is a different device.

Data Driven Threshold-Based Decision

Once the maximal posterior dependent probability P(device=device_(i)) isestimated in accordance with equations (1) or (3), a decision is made bycomparing the probability value to a given threshold. If the determinedprobability value is higher than the predefined threshold, then thecurrent device is indeed device_(i).

According to a further aspect of the present invention, the predefinedthreshold can optionally be trained over real training data: a set oftrue and false samples can be generated by extracting per a specificsample of device_(i) and a randomly chosen device_(j), the posteriorprobabilities P(device=device_(i)) and P(device=device_(j)). The firstvalue represents a true match and the latter value represents a falsematch. Then, a threshold can be set such that it maximizes some goodnesscriteria, e.g., accuracy, detection rate at a specific false alarm rateand/or minimal EER (Equal Error Rate). The threshold that gives the bestresults over the training set will be used in the online system. Thisthreshold can be updated periodically to make sure that there are nosignificant deviations between the training set and test set.

Additionally, the system can optionally use two thresholds: If a deviceis currently used by user X, and that user often uses device_(i), thenthe system is more inclined to decide that the current device is indeeddevice_(i), which means using a lower threshold for the decision. On theother hand, if the user has never used device_(i), then a strongersimilarity is required to decide that device_(i) is indeed a device ofuser X, which is expressed by using a higher threshold. In anothervariation, a higher threshold is employed when there are a number ofsimilar devices.

FIG. 4 illustrates an exemplary device detector 400 incorporatingaspects of the present invention. As shown in FIG. 4, the exemplarydevice detector 400 assigns a selected device label 450 to a givendevice based on session attributes 410 (i.e., the feature values for theselected features 340 for the current session) and the device attributes420 (i.e., the historical device attributes recorded in the profile)

As discussed further below in conjunction with FIG. 5, the exemplarydevice detector 400 determines the probability that a device isdevice_(i) based on the session attributes 410 and the device attributes420 for all devices, selects the device with the maximum probability andthen makes a device detection decision by comparing the determinedmaximum probability value to a predefined threshold. In one exemplaryembodiment, the predefined threshold is a function of whether the givenuser has previously used this device.

FIG. 5 is a flow chart describing an exemplary implementation of adevice detection process 500 that incorporates aspects of the presentinvention. As shown in FIG. 5, in an exemplary adaptive authenticationsetting, the exemplary device detection process 500 initially receivesan authentication request during step 510 from the authenticationrequestor 18. The device detection process 500 then obtains the sessionattributes 410 and device attributes 420 for each possible device duringstep 520 and calculates the probability value for each possible deviceduring step 530.

The exemplary device detection process 500 determines the device withthe maximum probability value during step 540, and makes a devicedetection decision during step 550 by comparing the determined maximumprobability value to a predefined threshold. As indicated above, in oneexemplary embodiment, the predefined threshold is a function of whetherthe given user has previously used this device. If a device is currentlyused by user X, and that user often uses device_(i), then the system ismore inclined to decide that the current device is indeed device_(i),which means using a lower threshold for the decision. On the other hand,if the user has never used device_(i), then a stronger similarity isrequired to decide that device_(i) is indeed a device of user X, whichis expressed by using a higher threshold.

Additionally, the adaptive authentication server 14 optionally updatesits records in the user database 16 with data gathered during the userlogin attempt. Such information may include identification informationof a new user device, a new location, a new access time, etc. Generally,the answer to the challenge is typically applied to an adaptingalgorithm and the classifier can be modified using supervised learningtechniques to fit the new information.

Among other benefits, the disclosed device detection techniques generateand update device profiles via a probabilistic-based comparison. Inaddition, the disclosed device detection techniques are robust andadaptive and can handle modifications, configuration changes and noisyor missing data. Additionally, disclosed device detection techniquesemploy data that is currently being monitored by many SIEM systems, sono additional deployment of hardware or software is required.

While various embodiments of the invention have been particularly shownand described, it will be understood by those skilled in the art thatvarious changes in form and details may be made therein withoutdeparting from the spirit and scope of the invention as defined by theappended claims.

Furthermore, it should be understood that some embodiments are directedto device detection within an adaptive authentication device 14 whichidentifies particular events for alerting within an event notificationmanagement system. Some embodiments are directed to adaptiveauthentication device 14 that performs device detection. Someembodiments are directed to a system that processes an authenticationrequest from an authentication requestor that includes a devicedetection in accordance with the present invention. Some embodiments aredirected to a method for device detection. Also, some embodiments aredirected to a computer program product that enables computer logic toperform device detection.

In some arrangements, adaptive authentication device 14 is implementedby a set of processors or other types of control/processing circuitryrunning software. In such arrangements, the software instructions can bedelivered to adaptive authentication device 14 in the form of a computerprogram product (illustrated generally by code for computer program 90stored within memory 24 in FIG. 2) having a computer readable storagemedium which stores the instructions in a non-volatile manner.Alternative examples of suitable computer readable storage media includetangible articles of manufacture and apparatus such as CD-ROM, flashmemory, disk memory, tape memory, and the like.

As mentioned previously herein, the above-described embodiments of theinvention are presented by way of illustrative example only. Numerousvariations and other alternative embodiments may be used.

The term “authentication information” as used herein is intended toinclude passwords, passcodes, answers to life questions, or otherauthentication credentials, or values derived from such authenticationcredentials, or more generally any other information that a user may berequired to submit in order to obtain access to an access-controlledapplication. Although the illustrative embodiments are described hereinin the context of adaptive authentication, it is to be appreciated thatthe invention is more broadly applicable to any other type of networkcommunication system.

The illustrative embodiments of the invention as described hereinprovide improved device detection techniques. Advantageously, theillustrative embodiments do not require changes to existingcommunication protocols. It is therefore transparent to both existingapplications and communication protocols. The described techniques maybe used with security tokens that generate one-time passwords or othertypes of authentication information, regardless of whether such tokensare connectable to the user device.

It should again be emphasized that the particular device detectiontechniques described above are provided by way of illustration andshould not be construed as limiting the present invention to anyspecific embodiment or group of embodiments. Also, the particularconfiguration of system elements shown in the figures and theirinteractions may be varied in other embodiments. Moreover, the varioussimplifying assumptions made above in the course of describing theillustrative embodiments should also be viewed as exemplary rather thanas requirements or limitations of the invention. Numerous alternativeembodiments within the scope of the appended claims will be readilyapparent to those skilled in the art.

What is claimed is:
 1. A method for device detection, the method comprising: obtaining a plurality of feature values for a given device; obtaining a set of device attributes for a plurality of potential devices; calculating a probability value that the given device is each potential device within said plurality of potential device based on said plurality of feature values for said given device and one or more device attributes for said given device; identifying a candidate device associated with a maximum probability value among said calculated probability values; and labeling said given device as said candidate device if said associated maximum probability value satisfies a predefined threshold.
 2. The method of claim 1, wherein said predefined threshold is a function of whether the given user has previously used this device.
 3. The method of claim 2, wherein said predefined threshold has a lower value if said candidate device has been previously used by the given user than if said candidate device has not been previously used by the given user.
 4. The method of claim 1, wherein said predefined threshold has a higher value if said candidate device has a number of substantially similar devices than if said candidate device does not have a number of substantially similar devices.
 5. The method of claim 1, wherein said obtained plurality of feature values are obtained for a selected set of features satisfying one or more predefined characteristic criteria.
 6. The method of claim 1, wherein said device attributes are obtained from a profile for each of said plurality of potential devices.
 7. The method of claim 1, wherein said method is performed as part of one or more of an authentication of a user and a risk assessment of a user.
 8. A computer program product comprising a non-transitory machine-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed perform the steps of the method of claim
 1. 9. An apparatus for device detection, the apparatus comprising: a memory; and at least one hardware device, coupled to the memory, operative to: obtain a plurality of feature values for a given device; obtaining a set of device attributes for a plurality of potential devices; calculate a probability value that the given device is each potential device within said plurality of potential devices based on said plurality of feature values for said given device and one or more device attributes for said given device; identify a candidate device associated with a maximum probability value among said calculated probability values; and labeling said given device as said candidate device if said associated maximum probability value satisfies a predefined threshold.
 10. The apparatus of claim 9, wherein said predefined threshold is a function of whether the given user has previously used this device.
 11. The apparatus of claim 10, wherein said predefined threshold has a lower value if said candidate device has been previously used by the given user than if said candidate device has not been previously used by the given user.
 12. The apparatus of claim 9, wherein said predefined threshold has a higher value if said candidate device has a number of substantially similar devices than if said candidate device does not have a number of substantially similar devices.
 13. The apparatus of claim 9 wherein said obtained plurality of feature values are obtained for a selected set of features satisfying one or more predefined characteristic criteria.
 14. The apparatus of claim 9, wherein said device attributes are obtained from a profile for each of said plurality of potential devices.
 15. The apparatus of claim 9, wherein said apparatus is employed during one or more of an authentication of a user and a risk assessment of a user.
 16. The method of claim 1, wherein said probability value can be estimated based on a similarity of a given feature value from among said plurality of feature values to feature values in a device profile.
 17. The method of claim 16, wherein said similarity of said given feature value is based on one or more of an intersection-based similarity measure for a feature that has multiple instances among said plurality of potential devices; an exact match similarity for a feature with one instance among said plurality of potential devices and no internal meaning; and a pair-wise distance function for a feature with one instance among said plurality of potential devices and at least some meaning.
 18. The apparatus of claim 9, wherein said probability value can be estimated based on a similarity of a given feature value from among said plurality of feature values to feature values in a device profile, and wherein said similarity of said given feature value is based on one or more of an intersection-based similarity measure for a feature that has multiple instances among said plurality of potential devices; an exact match similarity for a feature with one instance among said plurality of potential devices and no internal meaning; and a pair-wise distance function for a feature with one instance among said plurality of potential devices and at least some meaning. 